update
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute git commands (
git diff --name-only) to identify modified files in the local repository. - [DATA_EXFILTRATION]: The skill reads sensitive session history and configuration files from the user's home directory, specifically paths like
~/.claude/projects/*/memory/MEMORY.mdand~/.claude/MEMORY.md. While used for knowledge cross-checking, these files may contain sensitive project information or previous session context. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the repository (file contents and git diffs) and passes it to sub-agents (
doc-updater,code-reviewer) without explicit boundary markers or instructions to ignore embedded commands. - Ingestion points:
git diffoutput and contents of files indocs/orREADME.md(SKILL.md). - Boundary markers: Absent; there are no instructions provided to the sub-agents to distinguish between legitimate content and potential malicious instructions inside the files being scanned.
- Capability inventory: The skill can execute shell commands (Bash), write to the filesystem (Write, Edit), and spawn additional agents (Agent).
- Sanitization: No sanitization or escaping of the ingested file content is performed before it is processed by the sub-agents.
- [COMMAND_EXECUTION]: The skill modifies global agent state by writing to
~/.claude/skills/learned/. This persistent modification of the agent's behavior is the intended purpose of the skill but represents a sensitive capability if misused.
Audit Metadata